util.xmppstream: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning.
--- a/util/xmppstream.lua Sun May 22 16:14:10 2011 -0700
+++ b/util/xmppstream.lua Wed Jun 01 23:02:10 2011 +0100
@@ -19,6 +19,16 @@
local default_log = require "util.logger".init("xmppstream");
+-- COMPAT: w/LuaExpat 1.1.0
+local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false });
+
+if not lxp_supports_doctype then
+ default_log("warn", "The version of LuaExpat on your system leaves Prosody "
+ .."vulnerable to denial-of-service attacks. You should upgrade to "
+ .."LuaExpat 1.1.1 or higher as soon as possible. See "
+ .."http://prosody.im/doc/depends#luaexpat for more information.");
+end
+
local error = error;
module "xmppstream"
@@ -158,6 +168,17 @@
end
end
+ local function restricted_handler()
+ cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1.");
+ end
+
+ if lxp_supports_doctype then
+ xml_handlers.StartDoctypeDecl = restricted_handler;
+ end
+ xml_handlers.Comment = restricted_handler;
+ xml_handlers.StartCdataSection = restricted_handler;
+ xml_handlers.ProcessingInstruction = restricted_handler;
+
local function reset()
stanza, chardata = nil, {};
stack = {};